While I was at Enfuse 2017 a couple of weeks ago, I heard four letters repeated over and over again: GDPR. It stands for General Data Protection Regulation and will be enforced throughout the European Union as of May 25, 2018.
GDPR will protect the data privacy of every person in the EU. How does that affect U.S. businesses? If you do any type of business with a European company or if a resident of the EU does business with you, allowing you to store personal and financial data, you have to be in compliance. Not being compliant is costly -- €20 million or up to 4 percent of global revenue.
The good news is that companies still have a little more than 11 months to get ready for GDPR. The bad news is that most companies are woefully behind on those efforts – if they even know about GDPR and whether or not they should be compliant. A recent study from Varonis talked to IT decision makers in the EU and in the U.S. and found that 52 percent said they face challenges in order to identify PII on their network and who has access to that PII. Perhaps even more alarming is that 42 percent of respondents said that GDPR isn’t a priority for their company. Looking at how devastating those fines are, especially for smaller organizations, I can’t imagine why GDPR isn’t a bigger deal.
The survey is similar to others reported by eSecurity Planet and to comments made by Ilena Armstrong, VP editorial at SC Magazine, at Enfuse 2017. Armstrong said that nearly a third of American companies surveyed didn’t have a time table for the roll out and 14 percent said they would rather divest of their EU assets rather than have to comply to GDPR. Also not surprising is that large corporations are moving forward toward GDPR compliance but SMBs are lagging behind, if they’ve started at all.
This is definitely going to be a story to keep watching in the coming months, and I’ll be interested to see what similar studies say about GDPR readiness around Christmas time, when we’re down to less than six months until compliance kicks in.
I’ve talked to plenty of people about GDPR. A few security experts expressed hope that needing to be compliant for the EU will kick-start similar compliances for the U.S. I asked Theresa Payton, president and CEO, Fortalice Solutions, for her opinion as someone who once was CIO in the White House. Her response wasn’t promising. She said in her opinion, GDPR-type legislation will never see the light of day in the U.S. because Congress and individual states are too fragmented. But, she added that she hopes businesses will aim for the standards for privacy and security set by the individual state setting the highest bar, and then continue to strive to be even better.
Becoming compliant with the EU’s GDPR is a good place to start on that process.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba